Advertisement

Herausforderungen und Implikationen für das Cyber-Risikomanagement sowie die Versicherung von Cyberrisiken – Eine empirische Analyse

  • Dirk WredeEmail author
  • Thorben Freers
  • Johann-Matthias Graf von der Schulenburg
Abhandlung
  • 63 Downloads

Zusammenfassung

Der Beitrag untersucht vor dem Hintergrund einer hochdynamischen, extrem wandlungsfähigen Risikolandschaft in den Unternehmen den Status quo der Versicherung von Cyberrisiken sowie den Umgang mit solchen Gefahren im Risikomanagement. Angesichts der Neuartigkeit und Komplexität des Themas sowie der bisherigen unzureichenden Betrachtung im Schrifttum werden Interviews mit Experten aus Versicherungs- und Beratungsunternehmen sowie Interessenverbänden geführt. Die Untersuchungsergebnisse zeigen, dass in der Unternehmenspraxis ein mangelndes Risikobewusstsein für Cyberbedrohungen einen bedeutenden Einflussfaktor für die IT-Sicherheit darstellt und Cyberrisiken im Risikomanagement häufig unzureichend berücksichtigt werden. Zudem bieten Cyber-Policen aktuell keine Allgefahrendeckung für Cyberschäden und der deutsche Cyber-Versicherungsmarkt ist bislang wenig erschlossen.

Challenges and implications for cyber risk management and insurance of cyber risks—An empirical analysis

Abstract

This paper examines the status quo of insurance coverage and risk management of cyber threats. Cyber risks face the issues of innovative and complex character, thus we conducted interviews with experts from insurance companies and management consultancy firms as well as interest associations and evaluated them using the qualitative content analysis of Mayring. We found that insufficient cyber security awareness is a key factor influencing the IT security and the diverse risk potentials of cyber threats are inadequate included in the risk management. Likewise many insurance policies provide limited coverage for losses caused by cyber risks.

Literatur

  1. Abawajy, J.: User preference of cyber security awareness delivery methods. Behav. Inf. Technol. 33(3), 237–248 (2014)Google Scholar
  2. Adler, S.B., Sand, R.A.: Internet insurance whitepaper how to build insurable Internet business. Geneva Pap. Risk Insur. Issues Pract. 23(1), 81–102 (1998)Google Scholar
  3. Albrechtsen, E.: A qualitative study of users’ view on information security. Comput. Secur. 26(4), 276–289 (2007)Google Scholar
  4. Albrechtsen, E., Hovden, J.: Improving information security awareness and behaviour through dialogue, participation and collective reflection. An intervention study. Comput. Secur. 29(4), 432–445 (2010)Google Scholar
  5. Anderson, R.J.: Liability and computer security: nine principles. In: Gollmann, D. (Hrsg.) Computer Security ESORICS 94: Third European Symposium on Research in Computer Security, Brighton, United Kingdom, November 7–9, 1994. Proceedings, S. 231–245. Springer, Berlin, Heidelberg (1994)Google Scholar
  6. Anderson, R.J., Moore, T.: The economics of information security. Science 314(5799), 610–613 (2006)Google Scholar
  7. Anderson, R.J., Barton, C., Böhme, R., Clayton, R., Van Eeten, M.J.G., Levi, M., Moore, T., Savage, S.: Measuring the cost of cybercrime. In: Böhme, R. (Hrsg.) The Economics of Information Security and Privacy, S. 265–300. Springer, Heidelberg, New York, Dordrecht, London (2013)Google Scholar
  8. Ashby, S.G., Buck, T., Nöth-Zahn, S., Peisl, T.: Emerging IT risks: insights from German banking. Geneva Pap. Risk Insur. Issues Pract. 43(2), 180–207 (2018)Google Scholar
  9. Aytes, K., Connolly, T.: Computer security and risky computing practices: a rational choice perspective. J. Organ. End User Comput. 16(3), 22–40 (2004)Google Scholar
  10. Baban, C.P., Barker, T., Gruchmann, Y., Paun, C., Peters, A.C., Stuchtey, T.H.: Cyberversicherungen als Beitrag zum IT-Risikomanagement – Eine Analyse der Märkte für Cyberversicherungen in Deutschland, der Schweiz, den USA und Großbritannien. Standpunkt zivile Sicherheit Nr. 8. Brandenburgisches Institut für Gesellschaft und Sicherheit gGmbH (BIGS), Potsdam (2017). http://www.bigs-potsdam.org/images/weitere_Publikationen/Standpunkt_8_2017%20Online.pdf, Zugegriffen: 7. Dez. 2018Google Scholar
  11. Baer, W.S.: Rewarding IT security in the marketplace. Contemp. Secur. Policy 24(1), 190–208 (2003)Google Scholar
  12. Baer, W.S., Parkinson, A.: Cyberinsurance in IT security management. IEEE. Secur. Priv. 5(3), 50–56 (2007)Google Scholar
  13. Bandyopadhyay, T., Jacob, V., Raghunathan, S.: Information security in networked supply chains: impact of network vulnerability and supply chain integration on incentives to invest. Inf. Technol. Manage. 11(1), 7–23 (2010)Google Scholar
  14. Bandyopadhyay, T., Shidore, S.: Towards a Managerial Decision Framework for Utilization of Cyber Insurance Instruments in IT security. In: Proceedings of the 17th Americas Conference on Information Systems (AMCIS), Detroit, August 4–7, 2011 (2011)Google Scholar
  15. Bandyopadhyay, T.: Organizational Adoption of Cyber Insurance Instruments in IT Security Risk Management—A Modeling Approach. In: Proceedings of the 15th Annual Conference of the Southern Association for Information Systems (SAIS), Atlanta, March 23–24, 2012 (2012)Google Scholar
  16. Bandyopadhyay, T., Mookerjee, V.S., Rao, R.C.: Why IT managers don’t go for cyber-insurance products. Commun. ACM 52(11), 68–73 (2009)Google Scholar
  17. Bauer, J.M., Van Eeten, M.J.G.: Cybersecurity: stakeholder incentives, externalities, and policy options. Telecomm. Policy 33(10–11), 706–719 (2009)Google Scholar
  18. Bendovschi, A.: Cyber-attacks—trends, patterns and security countermeasures. Procedia Econ. Financ. 28, 24–31 (2015)Google Scholar
  19. Biener, C., Eling, M., Matt, A., Wirfs, J.H.: Cyber Risk: Risikomanagement und Versicherbarkeit. I•VW HSG Schriftenreihe, Bd. 54. Institut für Versicherungswirtschaft. Universität St. Gallen, St. Gallen (2015a)Google Scholar
  20. Biener, C., Eling, M., Wirfs, J.H.: Insurability of cyber risk: an empirical analysis. Geneva Pap. Risk Insur. Issues Pract. 40(1), 131–158 (2015b)Google Scholar
  21. Blakley, B., McDermott, E., Geer, D.: Information Security is Information Risk Management. In: Proceedings of the New Security Paradigms Workshop (NSPW), Cloudcroft, September 10–13, 2001 (2001)Google Scholar
  22. Bley, K., Leyh, C., Schäffer, T.: Digitization of German Enterprises in the Production Sector—Do they know how “digitized” they are?. In: Proceedings of the 22nd Americas Conference on Information Systems (AMCIS), San Diego, August 11–14, 2016 (2016)Google Scholar
  23. Blind, K.: Eine Analyse der Versicherung von Risiken der Informationssicherheit in Kommunikationsnetzen. Z. Ges. Versicherungswiss. 85(1), 81–101 (1996)Google Scholar
  24. Blind, K.: Insuring risks to information safety in communication systems in Germany. J. Insur. Regul. 19(3), 466–490 (2001)Google Scholar
  25. Bogner, A., Littig, B., Menz, W.: Interviews mit Experten: Eine praxisorientierte Einführung. Springer VS, Wiesbaden (2014)Google Scholar
  26. Böhme, R.: Cyber-Insurance Revisited. In: Proceedings of the 4th Workshop on the Economics of Information Security (WEIS), Cambridge, June 2–3, 2005 (2005a)Google Scholar
  27. Böhme, R.: IT-Risiken im Schadenversicherungsmodell: Implikationen der Marktstruktur. In: Federrath, H. (Hrsg.) Sicherheit 2005: Sicherheit – Schutz und Zuverlässigkeit, Beiträge der 2. Jahrestagung des Fachbereichs Sicherheit der Gesellschaft für Informatik e.V. (GI), Regensburg, 5.–8. April 2005, S. 27–40. Köllen, Bonn (2005b)Google Scholar
  28. Böhme, R., Kataria, G.: Models and Measures for Correlation in Cyber-Insurance. In: Proceedings of the 5th Workshop on the Economics of Information Security (WEIS), Cambridge, June 26–28, 2006 (2006a)Google Scholar
  29. Böhme, R., Kataria, G.: On the limits of cyber-insurance. In: Fischer-Hübner, S., Furnell, S., Lambrinoudakis, C. (Hrsg.) Trust and Privacy in Digital Business: Third International Conference, TrustBus 2006, Kraków, Poland, September 4–8, 2006. Proceedings, S. 31–40. Springer, Berlin, Heidelberg (2006b)  Google Scholar
  30. Böhme, R., Schwartz, G.: Modeling Cyber-Insurance: Towards A Unifying Framework. In: Proceedings of the 9th Workshop on the Economics of Information Security (WEIS), Cambridge, June 7–8, 2010 (2010)Google Scholar
  31. Bolot, J., Lelarge, M.: Cyber insurance as an incentive for Internet security. In: Johnson, M.E. (Hrsg.) Managing Information Risk and the Economics of Security, S. 269–290. Springer, Boston (2009)Google Scholar
  32. Brancheau, J.C., Janz, B.D., Wetherbe, J.C.: Key issues in information systems management: 1994–95 SIM Delphi results. MIS Q. 20(2), 225–242 (1996)Google Scholar
  33. Bulgurcu, B., Cavusoglu, H., Benbasat, I.: Information security policy compliance: an empirical study of rationality-based beliefs and information security awareness. MIS Q. 34(3), 523–548 (2010)Google Scholar
  34. Bundesverband Informationswirtschaft, Telekommunikation und neue Medien e. V. (Bitkom) (Hrsg.): IT-Risiko- und Chancenmanagement im Unternehmen: Ein LEITFADEN für kleine und mittlere Unternehmen (2006). https://www.bitkom.org/noindex/Publikationen/2006/Leitfaden/Leitfaden-IT-Risiko-und-Chancenmanagement-fuer-kleine-und-mittlere-Unternehmen/060601-Bitkom-Leitfaden-IT-Risikomanagement-V10-final.pdf, Zugegriffen: 7. Dez. 2018Google Scholar
  35. Bundesverband Informationswirtschaft, Telekommunikation und neue Medien e. V. (Bitkom) (Hrsg.): Spionage, Sabotage und Datendiebstahl – Wirtschaftsschutz in der Industrie: Studienbericht 2018 (2018). https://www.bitkom.org/sites/default/files/file/import/181008-Bitkom-Studie-Wirtschaftsschutz-2018-NEU.pdf, Zugegriffen: 7. Dez. 2018Google Scholar
  36. Cachia, M., Millward, L.: The telephone medium and semi-structured interviews: a complementary fit. Qual. Res. Organ. Manage. Int. J. 6(3), 265–277 (2011)Google Scholar
  37. Camillo, M.: Cyber risk and the changing role of insurance. J. Cyber Policy 2(1), 53–63 (2017)Google Scholar
  38. Cavusoglu, H., Cavusoglu, H., Raghunathan, S.: Economics of IT security management: four improvements to current security practices. Commun. AIS 14, 65–75 (2004)Google Scholar
  39. Cavusoglu, H., Cavusoglu, H., Son, J.-Y., Benbasat, I.: Institutional pressures in security management: direct and indirect influences on organizational investment in information security control resources. Inf. Manage. 52(4), 385–400 (2015)Google Scholar
  40. Cebula, J.J., Popeck, M.E., Young, L.R.: A Taxonomy of Operational Cyber Security Risks Version 2. Technical Note CMU/SEI-2014-TN-006. Software Engineering Institute. Carnegie Mellon University, Pittsburgh (2014). http://resources.sei.cmu.edu/asset_files/TechnicalNote/2014_004_001_91026.pdf, Zugegriffen: 7. Dez. 2018Google Scholar
  41. Cepeda, G., Martin, D.: A review of case studies publishing in Management Decision 2003–2004: guides and criteria for achieving quality in qualitative research. Manage. Decis. 43(6), 851–876 (2005)Google Scholar
  42. Chertoff, M.: The cybersecurity challenge. Regul. Gov. 2(4), 480–484 (2008)Google Scholar
  43. Chief Risk Officer (CRO) Forum: Cyber resilience—The cyber risk challenge and the role of insurance (2014). https://www.thecroforum.org/wp-content/uploads/2015/01/Cyber-Risk-Paper-version-24-1.pdf, Zugegriffen: 7. Dez. 2018Google Scholar
  44. Choi, N., Kim, D., Goo, J., Whitmore, A.: Knowing is doing: an empirical validation of the relationship between managerial information security awareness and action. Inf. Manage. Comput. Secur. 16(5), 484–501 (2008)Google Scholar
  45. Choo, K.-K.R.: The cyber threat landscape: challenges and future research directions. Comput. Secur. 30(8), 719–731 (2011)Google Scholar
  46. Choudhry, U.: Der Cyber-Versicherungsmarkt in Deutschland: Eine Einführung. Springer Gabler, Wiesbaden (2014)Google Scholar
  47. Christmann, G.B.: Expert interviews on the telephone: a difficult undertaking. In: Bogner, A., Littig, B., Menz, W. (Hrsg.) Interviewing Experts, S. 157–183. Palgrave Macmillan, London (2009)Google Scholar
  48. Cox, J.: Information systems user security: a structured model of the knowing–doing gap. Comput. Hum. Behav. 28(5), 1849–1858 (2012)Google Scholar
  49. Deane, J.K., Ragsdale, C.T., Rakes, T.R., Rees, L.R.: Managing supply chain risk and disruption from IT security incidents. Oper. Manage. Res. 2(1–4), 4–12 (2009)Google Scholar
  50. De Smidt, G.A., Botzen, W.J.W.: Perceptions of corporate cyber risks and insurance decision-making. Geneva Pap. Risk Insur. Issues Pract. 43(2), 239–274 (2018)Google Scholar
  51. Diekmann, A.: Empirische Sozialforschung: Grundlagen, Methoden, Anwendungen, 18. Aufl. Rowohlt, Reinbek (2007)Google Scholar
  52. Dong, L., Tomlin, B.: Managing disruption risk: the interplay between operations and insurance. Manage. Sci. 58(10), 1898–1915 (2012)Google Scholar
  53. Eisenhardt, K.M.: Building theories from case study research. Acad. Manage. Rev. 14(4), 532–550 (1989)Google Scholar
  54. Eisenhardt, K.M., Graebner, M.E.: Theory building from cases: opportunities and challenges. Acad. Manage. J. 50(1), 25–32 (2007)Google Scholar
  55. Eling, M.: Cyber risk and cyber risk insurance: status quo and future research. Geneva Pap. Risk Insur. Issues Pract. 43(2), 175–179 (2018)Google Scholar
  56. Eling, M., Schnell, W.: Ten Key Questions on Cyber Risk and Cyber Risk Insurance. The Geneva Association, Zurich (2016a). https://www.genevaassociation.org/sites/default/files/research-topics-document-type/pdf_public//cyber-risk-10_key_questions.pdf, Zugegriffen: 7. Dez. 2018Google Scholar
  57. Eling, M., Schnell, W.: What do we know about cyber risk and cyber risk insurance?. J. Risk Financ. 17(5), 474–491 (2016b)Google Scholar
  58. Eling, M., Wirfs, J.H.: Cyber Risk: Too Big to Insure?—Risk Transfer Options for a Mercurial Risk Class. I•VW HSG Schriftenreihe, Bd. 59. Institut für Versicherungswirtschaft. Universität St. Gallen, St. Gallen (2016). http://www.ivw.unisg.ch/~/media/internet/content/dateien/instituteundcenters/ivw/studien/cyberrisk2016.pdf, Zugegriffen: 7. Dez. 2018Google Scholar
  59. Eling, M., Wirfs, J.H.: What are the actual costs of cyber risk events?. Eur. J. Oper. Res. 272(3), 1109–1119 (2019)Google Scholar
  60. European Union Agency for Network and Information Security (ENISA): Incentives and barriers of the cyber insurance market in Europe (2012). https://www.enisa.europa.eu/publications/incentives-and-barriers-of-the-cyber-insurance-market-in-europe/at_download/fullReport, Zugegriffen: 7. Dez. 2018Google Scholar
  61. European Union Agency for Network and Information Security (ENISA): Cyber Insurance: Recent Advances, Good Practices and Challenges (2016). https://www.enisa.europa.eu/publications/cyber-insurance-recent-advances-good-practices-and-challenges/at_download/fullReport, Zugegriffen: 7. Dez. 2018Google Scholar
  62. Faisst, U., Prokein, O., Wegmann, N.: Ein Modell zur dynamischen Investitionsrechnung von IT-Sicherheitsmaßnahmen. Z. Betriebswirtsch. 77(5), 511–538 (2007)Google Scholar
  63. Fielder, A., Panaousis, E., Malacaria, P., Hankin, C., Smeraldi, F.: Decision support approaches for cyber security investment. Decis. Support. Syst. 86, 13–23 (2016)Google Scholar
  64. Finfgeld-Connett, D.: Use of content analysis to conduct knowledge-building and theory-generating qualitative systematic reviews. Qual. Res. 14(3), 341–352 (2014)Google Scholar
  65. Firestone, W.A.: Alternative arguments for generalizing from data as applied to qualitative research. Educ. Researcher 22(4), 16–23 (1993)Google Scholar
  66. Flagmeier, W., Heidemann, J.: Sonderheft: Cyber-Versicherungen, 4. Aufl. Wolters Kluwer, Münster (2018)Google Scholar
  67. Franke, U.: The cyber insurance market in Sweden. Comput. Secur. 68, 130–144 (2017)Google Scholar
  68. Gaudenzi, B., Siciliano, G.: Just do it: managing IT and cyber risks to protect the value creation. J. Promot. Manage. 23(3), 372–385 (2017)Google Scholar
  69. Gläser, J., Laudel, G.: Experteninterviews und qualitative Inhaltsanalyse als Instrumente rekonstruierender Untersuchungen, 4. Aufl. VS, Wiesbaden (2010)Google Scholar
  70. Goodhue, D.L., Straub, D.W.: Security concerns of system users: a study of perceptions of the adequacy of security. Inf. Manage. 20(1), 13–27 (1991)Google Scholar
  71. Gordon, L.A., Loeb, M.P.: The economics of information security investment. ACM Trans. Inf. Syst. Secur. 5(4), 438–457 (2002)Google Scholar
  72. Gordon, L.A., Loeb, M.P., Sohail, T.: A framework for using insurance for cyber-risk management. Commun. ACM 46(3), 81–85 (2003)Google Scholar
  73. Grace, M.F., Leverty, J.T., Phillips, R.D., Shimpi, P.: The value of investing in enterprise risk management. J. Risk Insur. 82(2), 289–316 (2015)Google Scholar
  74. Groleau, D., Zelkowitz, P., Cabral, I.E.: Enhancing generalizability: moving from an intimate to a political voice. Qual. Health Res. 19(3), 416–426 (2009)Google Scholar
  75. Grzebiela, T.: Versicherbarkeit von Risiken des E‑Commerce. In: Buhl, H.U., Huther, A., Reitwiesner, B. (Hrsg.) Information Age Economy: 5. Internationale Tagung Wirtschaftsinformatik 2001, S. 409–423. Physica, Heidelberg (2001)Google Scholar
  76. Grzebiela, T.: Insurability of Electronic Commerce Risks. In: Proceedings of the 35th Hawaii International Conference on System Sciences (HICSS), Big Island, January 7–10, 2002 (2002a)Google Scholar
  77. Grzebiela, T.: Internet-Risiken: Versicherbarkeit und Alternativer Risikotransfer, 1. Aufl. Deutscher Universitäts-Verlag, Wiesbaden (2002b)Google Scholar
  78. Guy Carpenter & Company, LLC: Tomorrow Never Knows: Emerging Risks Report September 2013 (2013). http://www.curie.org/sites/default/files/Emerging-Risks-Report-Sept-2013.pdf, Zugegriffen: 7. Dez. 2018Google Scholar
  79. Haas, A., Hofmann, A.: Risiken aus der Nutzung von Cloud-Computing-Diensten: Fragen des Risikomanagements und Aspekte der Versicherbarkeit. Z. Ges. Versicherungswiss. 103(4), 377–407 (2014)Google Scholar
  80. Hartley, J.F.: Case studies in organizational research. In: Cassell, C., Symon, G. (Hrsg.) Qualitative Methods in Organizational Research: A Practical Guide, S. 209–229. SAGE, London (1994)Google Scholar
  81. Harvey, C.D.H.: Telephone survey techniques. Can. Home Econ. J. 38(1), 30–35 (1988)Google Scholar
  82. Herath, H.S.B., Herath, T.C.: Copula-based actuarial model for pricing cyber-insurance policies. Insur. Mark. Co. Anal. Actuar. Comput. 2(1), 7–20 (2011)Google Scholar
  83. Hiller, J.S., Russell, R.S.: The challenge and imperative of private sector cybersecurity: an international comparison. Comput. Law Secur. Rev. 29(3), 236–245 (2013)Google Scholar
  84. Hopf, C.: Qualitative Interviews – Ein Überblick. In: Flick, U., Von Kardorff, E., Steinke, I. (Hrsg.) Qualitative Forschung: Ein Handbuch, 10. Aufl., S. 349–360. Rowohlt, Reinbek (2013)Google Scholar
  85. Hoyt, R.E., Liebenberg, A.P.: The value of enterprise risk management. J. Risk Insur. 78(4), 795–822 (2011)Google Scholar
  86. Hsieh, H.-F., Shannon, S.E.: Three approaches to qualitative content analysis. Qual. Health Res. 15(9), 1277–1288 (2005)Google Scholar
  87. Hu, Q., Hart, P., Cooke, D.: The role of external and internal influences on information systems security—a neo-institutional perspective. J. Strateg. Inf. Syst. 16(2), 153–172 (2007)Google Scholar
  88. Hyman, P.: Cybercrime: it’s serious, but exactly how serious?. Commun. ACM 56(3), 18–20 (2013)Google Scholar
  89. Innerhofer-Oberperfler, F., Breu, R.: Potential rating indicators for cyberinsurance: an exploratory qualitative study. In: Moore, T., Pym, D., Ioannidis, C. (Hrsg.) Economics of Information Security and Privacy, S. 249–278. Springer, Boston (2010)Google Scholar
  90. Institute of Risk Management: Cyber Risk: Resources for Practitioners (2014). https://www.iia.org.uk/media/560694/irm_cyber_risk_for_practioners.pdf, Zugegriffen: 7. Dez. 2018Google Scholar
  91. Järveläinen, J.: IT incidents and business impacts: validating a framework for continuity management in information systems. Int. J. Inf. Manage. 33(3), 583–590 (2013)Google Scholar
  92. Jouini, M., Rabai, L.B.A., Aissa, A.B.: Classification of security threats in information systems. Procedia Comput. Sci. 32, 489–496 (2014)Google Scholar
  93. Kaiser, R.: Qualitative Experteninterviews: Konzeptionelle Grundlagen und praktische Durchführung. Springer VS, Wiesbaden (2014)Google Scholar
  94. Kankanhalli, A., Teo, H.-H., Tan, B.C.Y., Wei, K.-K.: An integrative study of information systems security effectiveness. Int. J. Inf. Manage. 23(2), 139–154 (2003)Google Scholar
  95. Kayworth, T., Whitten, D.: Effective information security requires a balance of social and technology factors. MIS Q. Exec. 9(3), 163–175 (2010)Google Scholar
  96. Keegan, C.: Cyber security in the supply chain: a perspective from the insurance industry. Technovation 34(7), 380–381 (2014)Google Scholar
  97. Kesan, J.P., Majuca, R.P., Yurcik, W.J.: The Economic Case for Cyberinsurance. Working Paper. University of Illinois at Urbana-Champaign. Urbana-Champaign (2004). http://law.bepress.com/cgi/viewcontent.cgi?article=1001&context=uiuclwps, Zugegriffen: 7. Dez. 2018Google Scholar
  98. Kesan, J.P., Majuca, R.P., Yurcik, W.J.: Cyberinsurance as a market-based solution to the problem of cybersecurity—A case study. In: Proceedings of the 4th Workshop on the Economics of Information Security (WEIS), Cambridge, June 2–3, 2005 (2005)Google Scholar
  99. Kesan, J.P., Majuca, R.P., Yurcik, W.J.: Three economic arguments for cyberinsurance. In: Chander, A., Gelman, L., Radin, M.J. (Hrsg.) Securing Privacy in the Internet Age, S. 345–366. Stanford University Press, Stanford (2008)Google Scholar
  100. Kim, W., Jeong, O.-R., Kim, C., So, J.: The dark side of the Internet: attacks, costs and responses. Inf. Syst. 36(3), 675–705 (2011)Google Scholar
  101. Kirkpatrick, K.: Cyber policies on the rise. Commun. ACM 58(10), 21–23 (2015)Google Scholar
  102. Königs, H.-P.: IT-Risikomanagement mit System: Praxisorientiertes Management von Informationssicherheits‑, IT- und Cyberrisiken, 5. Aufl. Springer Vieweg, Wiesbaden (2017)Google Scholar
  103. Kosub, T.: Components and challenges of integrated cyber risk management. Z. Ges. Versicherungswiss. 104(5), 615–634 (2015)Google Scholar
  104. KPMG AG Wirtschaftsprüfungsgesellschaft: e‑Crime in der deutschen Wirtschaft 2017 – Computerkriminalität im Visier (2017a). http://hub.kpmg.de/hubfs/LandingPages-PDF/e-crime-studie-2017-KPMG.pdf, Zugegriffen: 7. Dez. 2018Google Scholar
  105. KPMG AG Wirtschaftsprüfungsgesellschaft: Neues Denken, Neues Handeln – Versicherungen im Zeitalter von Digitalisierung und Cyber Studienteil B: Cyber (2017b). https://assets.kpmg.com/content/dam/kpmg/ch/pdf/neues-denken-neues-handeln-cyber-de.pdf, Zugegriffen: 7. Dez. 2018Google Scholar
  106. Kritzinger, E., Smith, E.: Information security management: an information security retrieval and awareness model for industry. Comput. Secur. 27(5–6), 224–231 (2008)Google Scholar
  107. Kruger, H.A., Kearney, W.D.: A prototype for assessing information security awareness. Comput. Secur. 25(4), 289–296 (2006)Google Scholar
  108. Krummaker, S., Graf von der Schulenburg, J.-M.: Die Versicherungsnachfrage von Unternehmen: Eine Empirische Untersuchung der Sachversicherungsnachfrage deutscher Unternehmen. Z. Ges. Versicherungswiss. 97(1), 79–97 (2008)Google Scholar
  109. Kuckartz, U.: Qualitative Inhaltsanalyse. Methoden, Praxis, Computerunterstützung, 3. Aufl. Beltz Juventa, Weinheim, Basel (2016)Google Scholar
  110. Lai, C., Medvinsky, G., Neuman, C.B.: Endorsements, Licensing, and Insurance for Distributed System Services. In: Proceedings of the 2nd ACM Conference on Computer and Communications Security (CCS), Fairfax, November 2–4, 1994 (1994)Google Scholar
  111. Lambrinoudakis, C., Gritzalis, S., Hatzopoulos, P., Yannacopoulos, A.N., Katsikas, S.: A formal model for pricing information systems insurance contracts. Comput. Stand. Interf. 27(5), 521–532 (2005)Google Scholar
  112. Lamnek, S.: Qualitative Sozialforschung: Lehrbuch, 4. Aufl. Beltz, Weinheim, Basel (2005)Google Scholar
  113. Lebek, B., Uffen, J., Neumann, M., Hohler, B., Breitner, M.H.: Information security awareness and behavior: a theory-based literature review. Manage. Res. Rev. 37(12), 1049–1092 (2014)Google Scholar
  114. Legner, C., Eymann, T., Hess, T., Matt, C., Böhmann, T., Drews, P., Mädche, A., Urbach, N., Ahlemann, F.: Digitalization: opportunity and challenge for the business and information systems engineering community. Bus. Inf. Syst. Eng. 59(4), 301–308 (2017)Google Scholar
  115. Lesch, T., Richter, A.: Risiken aus kommerzieller Nutzung des Internet – Möglichkeiten der Schadenverhütung und Versicherung. Z. Ges. Versicherungswiss. 89(4), 605–633 (2000)Google Scholar
  116. Liebenberg, A.P., Hoyt, R.E.: The determinants of enterprise risk management: evidence from the appointment of chief risk officers. Risk Manage. Insur. Rev. 6(1), 37–52 (2003)Google Scholar
  117. Luftman, J., Ben-Zvi, T.: Key issues for IT executives 2009: difficult economy’s impact on IT. MIS Q. Exec. 9(1), 49–59 (2010)Google Scholar
  118. Majuca, R.P., Yurcik, W.J., Kesan, J.P.: The evolution of cyberinsurance. Working Paper. University of Illinois at Urbana-Champaign, Urbana-Champaign (2006). https://arxiv.org/ftp/cs/papers/0601/0601020.pdf, Zugegriffen: 7. Dez. 2018Google Scholar
  119. Marotta, A., Martinelli, F., Nanni, S., Yautsiukhin, A.: A Survey on Cyber-Insurance. Technical Report IIT TR-17/2015. Istituto di Informatica e Telematica, Consiglio Nazionale delle Ricerche, Pisa (2015). http://www.iit.cnr.it/sites/default/files/TR-17-2015.pdf, Zugegriffen: 7. Dez. 2018Google Scholar
  120. Marotta, A., Martinelli, F., Nanni, S., Orlando, A., Yautsiukhin, A.: Cyber-insurance survey. Comput. Sci. Rev. 24, 35–61 (2017)Google Scholar
  121. Marshall, B., Cardon, P., Poddar, A., Fontenot, R.: Does sample size matter in qualitative research?: a review of qualitative interviews in is research. J. Comput. Inf. Syst. 54(1), 11–22 (2013)Google Scholar
  122. Mayring, P.: Qualitative Inhaltsanalyse: Grundlagen und Techniken, 12. Aufl. Beltz, Weinheim, Basel (2015)Google Scholar
  123. Mayring, P.: Einführung in die qualitative Sozialforschung: Eine Anleitung zu qualitativem Denken, 6. Aufl. Beltz, Weinheim, Basel (2016)Google Scholar
  124. McLellan, E., MacQueen, K.M., Neidig, J.L.: Beyond the qualitative interview: data preparation and transcription. Field Methods 15(1), 63–84 (2003)Google Scholar
  125. Mehl, C.: Insurability of risks on the information highway, from the user’s point of view. Geneva Pap. Risk Insur. Issues Pract. 23(1), 103–111 (1998)Google Scholar
  126. Meland, P.H., Tøndel, I.A., Moe, M.E.G., Seehusen, F.: Facing uncertainty in cyber insurance policies. In: Livraga, G., Mitchell, C. (Hrsg.) Security and Trust Management: 13th International Workshop, STM 2017, Oslo, Norway, September 14–15, 2017. Proceedings, S. 89–100. Springer, Cham (2017)Google Scholar
  127. Meland, P.H., Tøndel, I.A., Solhaug, B.: Mitigating risk with cyberinsurance. IEEE. Secur. Priv. 13(6), 38–43 (2015)Google Scholar
  128. Merkens, H.: Stichproben bei qualitativen Studien. In: Friebertshäuser, B., Prengel, A. (Hrsg.) Handbuch Qualitative Forschungsmethoden in der Erziehungswissenschaft, S. 97–106. Juventa, Weinheim, München (1997)Google Scholar
  129. Meuser, M., Nagel, U.: The expert interview and changes in knowledge production. In: Bogner, A., Littig, B., Menz, W. (Hrsg.) Interviewing Experts, S. 17–42. Palgrave Macmillan, London (2009)Google Scholar
  130. Modrow-Thiel, B.: Qualitative Interviews – Vorgehen und Probleme. Z. Personalforsch. Sonderheft: EMPIRISCHE PERSONALFORSCHUNG, 129–146 (1993)Google Scholar
  131. Moore, T.: The economics of cybersecurity: principles and policy options. Int. J. Crit. Infrastruct. Prot. 3(3–4), 103–117 (2010)Google Scholar
  132. Mukhopadhyay, A., Chatterjee, S., Saha, D., Mahanti, A., Sadhukhan, S.K.: e‑Risk Management with Insurance: A framework using Copula aided Bayesian Belief Networks. In: Proceedings of the 39th Hawaii International Conference on System Sciences (HICSS), Kauai, January 4–7, 2006 (2006)Google Scholar
  133. Mukhopadhyay, A., Chakrabarti, B.B., Saha, D., Mahanti, A.: E‑Risk Management through Self Insurance: An Option Model. In: Proceedings of the 40th Hawaii International Conference on System Sciences (HICSS), Waikoloa, January 3–6, 2007 (2007a)Google Scholar
  134. Mukhopadhyay, A., Chatterjee, S., Roy, R., Saha, D., Mahanti, A., Sadhukhan, S.K.: Insuring Big Losses Due to Security Breaches through Insurance: A Business Model. In: Proceedings of the 40th Hawaii International Conference on System Sciences (HICSS), Waikoloa, January 3–6, 2007 (2007b)Google Scholar
  135. Mukhopadhyay, A., Chatterjee, S., Saha, D., Mahanti, A., Sadhukhan, S.K.: Cyber-risk decision models: to insure IT or not?. Decis. Support. Syst. 56, 11–26 (2013)Google Scholar
  136. Mukhopadhyay, A., Saha, D., Chakrabarti, B.B., Mahanti, A., Podder, A.: Insurance for cyber-risk: a utility model. Decision 32(1), 153–169 (2005)Google Scholar
  137. Myers, M.D., Newman, M.: The qualitative interview in IS research: examining the craft. Inf. Organ. 17(1), 2–26 (2007)Google Scholar
  138. Ng, B.-Y., Kankanhalli, A., Xu, Y.(C.): Studying users’ computer security behavior: a health belief perspective. Decis. Support. Syst. 46(4), 815–825 (2009)Google Scholar
  139. Njegomir, V., Marović, B.: Contemporary trends in the global insurance industry. Procedia Soc. Behav. Sci. 44, 134–142 (2012)Google Scholar
  140. Nosworthy, J.D.: Implementing information security in the 21st century—Do you have the balancing factors?. Comput. Secur. 19(4), 337–347 (2000)Google Scholar
  141. Organisation for Economic Co-operation and Development (OECD): Enhancing the Role of Insurance in Cyber Risk Management (2017). https://www.oecd.org/daf/fin/insurance/Enhancing-the-Role-of-Insurance-in-Cyber-Risk-Management.pdf, Zugegriffen: 7. Dez. 2018Google Scholar
  142. Osborn, E., Simpson, A.: On small-scale IT users’ system architectures and cyber security: a UK case study. Comput. Sci. 70, 27–50 (2017)Google Scholar
  143. Öğüt, H., Raghunathan, S., Menon, N.: Cyber security risk management: public policy implications of correlated risk, imperfect ability to prove loss, and observability of self-protection. Risk Anal. 31(3), 497–512 (2011)Google Scholar
  144. Ponemon Institute, LLC: 2017 Cost of Data Breach Study: Germany (2017). https://www-01.ibm.com/common/ssi/cgi-bin/ssialias?htmlfid=SEL03130DEEN, Zugegriffen: 7. Dez. 2018Google Scholar
  145. Pooser, D.M., Browne, M.J., Arkhangelska, O.: Growth in the perception of cyber risk: evidence from U.S. P&C insurers. Geneva Pap. Risk Insur. Issues Pract. 43(2), 208–223 (2018)Google Scholar
  146. Porro, B., Epprecht, T.: From producing safety to managing risks. Geneva Pap. Risk Insur. Issues Pract. 26(2), 259–267 (2001)Google Scholar
  147. PricewaterhouseCoopers (PwC): Insurance 2020 & beyond: Reaping the dividends of cyber resilience (2015). https://www.pwc.com/gx/en/insurance/publications/assets/reaping-dividends-cyber-resilience.pdf, Zugegriffen: 7. Dez. 2018Google Scholar
  148. Rakes, T.R., Deane, J.K., Rees, L.P.: IT security planning under uncertainty for high-impact events. Omega 40(1), 79–88 (2012)Google Scholar
  149. Ransbotham, S., Mitra, S.: Choice and chance: a conceptual model of paths to information security compromise. Inf. Syst. Res. 20(1), 121–139 (2009)Google Scholar
  150. Refsdal, A., Solhaug, B., Stølen, K.: Cyber-Risk Management. Springer, Cham, Heidelberg, New York, Dordrecht, London (2015)Google Scholar
  151. Romanosky, S., Ablon, L., Kuehn, A., Jones, T.: Content Analysis of Cyber Insurance Policies: How do Carriers Price Cyber Risk?. In: Proceedings of the 16th Workshop on the Economics of Information Security (WEIS), La Jolla, June 26–27, 2017 (2017)Google Scholar
  152. Ruan, K.: Introducing cybernomics: a unifying economic framework for measuring cyber risk. Comput. Secur. 65, 77–89 (2017)Google Scholar
  153. Salmela, H.: Analysing business losses caused by information systems risk: a business process analysis approach. J. Inf. Technol. 23(3), 185–202 (2008)Google Scholar
  154. Schanz, K.-U.: Understanding and Addressing Global Insurance Protection Gaps. The Geneva Association, Zurich (2018). https://www.genevaassociation.org/sites/default/files/research-topics-document-type/pdf_public/understanding_and_addressing_global_insurance_protection_gaps.pdf, Zugegriffen: 7. Dez. 2018Google Scholar
  155. Schneier, B.: Insurance and the computer industry. Commun. ACM 44(3), 114–115 (2001)Google Scholar
  156. Schnell, R., Hill, P.B., Esser, E.: Methoden der empirischen Sozialforschung, 9. Aufl. Oldenbourg, München (2011)Google Scholar
  157. Seibold, H.: IT-Risikomanagement. Oldenbourg, München (2006)Google Scholar
  158. Shackelford, S.J.: Should your firm invest in cyber risk insurance?. Bus. Horiz. 55(4), 349–356 (2012)Google Scholar
  159. Shetty, N., Schwarz, G., Felegyhazi, M., Walrand, J.: Competitive cyber-insurance and Internet security. In: Moore, T., Pym, D., Ioannidis, C. (Hrsg.) Economics of Information Security and Privacy, S. 229–247. Springer, Boston (2010)Google Scholar
  160. Shetty, S., McShane, M., Zhang, L., Kesan, J.P., Kamhoua, C.A., Kwiat, K., Njilla, L.L.: Reducing informational disadvantages to improve cyber risk management. Geneva Pap. Risk Insur. Issues Pract. 43(2), 224–238 (2018)Google Scholar
  161. Siegel, C., Sagalow, T.R., Serritella, P.: Cyber-risk management: technical and insurance controls for enterprise-level security. Inf. Syst. Secur. 11(5), 33–49 (2002)Google Scholar
  162. Siponen, M.T.: A conceptual foundation for organizational information security awareness. Inf. Manage. Comput. Secur. 8(1), 31–41 (2000a)Google Scholar
  163. Siponen, M.T.: Critical analysis of different approaches to minimizing user‐related faults in information systems security: implications for research and practice. Inf. Manage. Comput. Secur. 8(5), 197–209 (2000b)Google Scholar
  164. Siponen, M.T.: Five dimensions of information security awareness. ACM SIGCAS Comput. Soc. 31(2), 24–29 (2001)Google Scholar
  165. Smith, G.S.: Recognizing and preparing loss estimates from cyber-attacks. Inf. Syst. Secur. 12(6), 46–57 (2004)Google Scholar
  166. Smith, G.E., Watson, K.J., Baker, W.H., Pokorski II, J.A.: A critical balance: collaboration and security in the IT-enabled supply chain. Int. J. Prod. Res. 45(11), 2595–2613 (2007)Google Scholar
  167. Sonnenreich, W., Albanese, J., Stout, B.: Return On Security Investment (ROSI)—a practical quantitative model. J. Res. Pract. Inf. Technol. 38(1), 45–56 (2006)Google Scholar
  168. Spears, J.L., Barki, H.: User participation in information systems security risk management. MIS Q. 34(3), 503–522 (2010)Google Scholar
  169. Srinidhi, B., Yan, J., Tayi, G.K.: Allocation of resources to cyber-security: the effect of misalignment of interest between managers and investors. Decis. Support. Syst. 75, 49–62 (2015)Google Scholar
  170. Stewart, H., Jürjens, J.: Information security management and the human aspect in organizations. Inf. Comput. Secur. 25(5), 494–534 (2017)Google Scholar
  171. Straub, D.W., Welke, R.J.: Coping with systems risk: security planning models for management decision making. MIS Q. 22(4), 441–469 (1998)Google Scholar
  172. Strupczewski, G.: The cyber insurance market in Poland and determinants of its development from the insurance broker’s perspective. Econ. Bus. Rev. 3(2), 33–50 (2017)Google Scholar
  173. Sturges, J.E., Hanrahan, K.J.: Comparing telephone and face-to-face qualitative interviewing: a research note. Qual. Res. 4(1), 107–118 (2004)Google Scholar
  174. Thomson, M.E., Von Solms, R.: Information security awareness: educating your users effectively. Inf. Manage. Comput. Secur. 6(4), 167–173 (1998)Google Scholar
  175. Tøndel, I.A., Meland, P.H., Omerovic, A., Gjære, E.A., Solhaug, B.: Using Cyber-Insurance as a Risk Management Strategy: Knowledge Gaps and Recommendations for Further Research. Technical Report SINTEF A27298. SINTEF ICT, Oslo (2015). https://brage.bibsys.no/xmlui/bitstream/handle/11250/2379189/SINTEF%2bA27298.pdf?sequence=3&isAllowed=y, Zugegriffen: 7. Dez. 2018Google Scholar
  176. Tøndel, I.A., Seehusen, F., Gjære, E.A., Moe, M.E.G.: Differentiating cyber risk of insurance customers: the insurance company perspective. In: Buccafurri, F., Holzinger, A., Kieseberg, P., Tjoa, A.M., Weippl, E. (Hrsg.) Availability, Reliability, and Security in Information Systems: IFIP WG 8.4, 8.9, TC 5 International Cross-Domain Conference, CD-ARES 2016, and Workshop on Privacy Aware Machine Learning for Health Data Science, PAML 2016, Salzburg, Austria, August 31–September 2, 2016. Proceedings, S. 175–190. Springer, Cham (2016)Google Scholar
  177. Toregas, C., Zahn, N.: Insurance for Cyber Attacks: The Issue of Setting Premiums in Context. Technical Report GW-CSPRI-2014-1. Cyber Security Policy and Research Institute. The George Washington University, Washington (2014). https://cspri.seas.gwu.edu/sites/cspri.seas.gwu.edu/files/downloads/cyberinsurance_paper_pdf_0.pdf, Zugegriffen: 7. Dez. 2018Google Scholar
  178. Tosh, D.K., Shetty, S., Sengupta, S., Kesan, J.P., Kamhoua, C.A.: Risk management using cyber-threat information sharing and cyber-insurance. In: Duan, L., Sanjab, A., Li, H., Chen, X., Materassi, D., Elazouzi, R. (Hrsg.) Game Theory for Networks: 7th International EAI Conference, GameNets 2017, Knoxville, TN, USA, May 9, 2017. Proceedings, S. 154–164. Springer, Cham (2017)Google Scholar
  179. Tsohou, A., Karyda, M., Kokolakis, S., Kiountouzis, E.: Analyzing trajectories of information security awareness. Inf. Technol. People 25(3), 327–352 (2012)Google Scholar
  180. Tsohou, A., Karyda, M., Kokolakis, S., Kiountouzis, E.: Managing the introduction of information security awareness programmes in organizations. Eur. J. Inf. Syst. 24(1), 38–58 (2015)Google Scholar
  181. Veit, D., Clemons, E., Benlian, A., Buxmann, P., Hess, T., Kundisch, D., Leimeister, J.M., Loos, P., Spann, M.: Business models—an information systems research agenda. Bus. Inf. Syst. Eng. 6(1), 45–53 (2014)Google Scholar
  182. Von Solms, R., Van Niekerk, J.: From information security to cyber security. Comput. Secur. 38, 97–102 (2013)Google Scholar
  183. Whitman, M.E.: In defense of the realm: understanding the threats to information security. Int. J. Inf. Manage. 24(1), 43–57 (2004)Google Scholar
  184. Wirfs, J.H.: How to Organize Cyber Risk Transfer?. Working Paper No. 183. Institut für Versicherungswirtschaft. Universität St. Gallen, St. Gallen (2016). http://www.ivw.unisg.ch/~/media/internet/content/dateien/instituteundcenters/ivw/wps/wp183.pdf, Zugegriffen: 7. Dez. 2018Google Scholar
  185. Woods, D., Simpson, A.: Policy measures and cyber insurance: a framework. J. Cyber Policy 2(2), 209–226 (2017)Google Scholar
  186. Woods, D., Agrafiotis, I., Nurse, J.R.C., Creese, S.: Mapping the coverage of security controls in cyber insurance proposal forms. J. Internet Serv. Appl. 8(1), Artikel 8 (2017).  https://doi.org/10.1186/s13174-017-0059-y Google Scholar
  187. Wopperer, W.: Fraud risks in e‑commerce transactions. Geneva Pap. Risk Insur. Issues Pract. 27(3), 383–394 (2002)Google Scholar
  188. World Economic Forum: Partnering for Cyber Resilience: Risk and Responsibility in a Hyperconnected World—Principles and Guidelines. Report REF 270912, Cologny (2012). http://www3.weforum.org/docs/WEF_IT_PartneringCyberResilience_Guidelines_2012.pdf, Zugegriffen: 7. Dez. 2018Google Scholar
  189. Yin, R.K.: Case Study Research: Design and Methods, 5. Aufl. SAGE, Los Angeles, London, New Delhi, Singapore, Washington (2014)Google Scholar
  190. Young, D., Lopez Jr., J., Rice, M., Ramsey, B., McTasney, R.: A framework for incorporating insurance in critical infrastructure cyber risk strategies. Int. J. Crit. Infrastruct. Prot. 14, 43–57 (2016)Google Scholar
  191. Zhao, X., Xue, L., Whinston, A.B.: Managing interdependent information security risks: cyberinsurance, managed security services, and risk pooling arrangements. J. Manage. Inf. Syst. 30(1), 123–152 (2013)Google Scholar

Copyright information

© Springer-Verlag GmbH Deutschland, ein Teil von Springer Nature 2019

Authors and Affiliations

  • Dirk Wrede
    • 1
    Email author
  • Thorben Freers
    • 2
  • Johann-Matthias Graf von der Schulenburg
    • 1
  1. 1.Institut für VersicherungsbetriebslehreGottfried Wilhelm Leibniz Universität HannoverHannoverDeutschland
  2. 2.Gottfried Wilhelm Leibniz Universität HannoverHannoverDeutschland

Personalised recommendations